cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1176
Views
2
Helpful
7
Replies

FTD NAT

jebankshrcu
Level 1
Level 1

Hi Team,

So currently I have a FTD that I manage via FDM. Am trying to access an internal host from the outside via port 8888 but internally it should translate back to ssh (22). Screenshot is my nat rule. Not sure if am doing something wrong and what else am missing cause the rules I have it widely open to see if thats the issue but still nothing.

jebankshrcu_0-1716505051733.png

 

1 Accepted Solution

Accepted Solutions

Sorry I make you waiting 
I was busy 

jebankshrcu_0-1716657233286x.png

View solution in original post

7 Replies 7

balaji.bandi
Hall of Fame
Hall of Fame

what is the error you getting when you initiate the connection from outside IP address and port 8888 ?

does the webserver running service 22 ?  web server runs on generally 443 ? so what web server is this ?

i have tested in my Lab some time it works as expected for reference :

https://www.balajibandi.com/?p=1855

Debug - run on FDM or cli see if the packet reaching the outside interface or not first before it process NAT and inside ACL.

sometime the provider do not allow some incoming packets on odd ports.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Marvin Rhoads
Hall of Fame
Hall of Fame

Try packet-tracer from the FTD cli and let us know what you get.

packet-tracer input outside tcp 1.1.1.1 1234 <outside interface address> 8888

https://community.cisco.com/t5/security-knowledge-base/troubleshooting-access-problems-using-packet-tracer/ta-p/3114976

Also make sure there are no other rules or active connections using that same tcp port on the outside interface.

first change the rule from auto to NAT rules before
second make sure you allow real IP and Port 22 in ACP

MHM

So changing it from auto you mean use manual nat like the image attached?

jebankshrcu_0-1716657233286.png

 



run a packet tracer from CLI, Verify that the access rules and NAT statements that are being hit are correct and that the action is allowed.  If that looks good set up a packet capture on the webportal interface and see if there is traffic being captured in both directions.  If you are only seeing traffic out towards the server but nothing in return, the the issue is either with the server itself or in the path between the firewall and the server.

If possible you can also run a tcpdump on the server in question and see if the SSH session is actually reaching the server.

--
Please remember to select a correct answer and rate helpful posts

jebankshrcu
Level 1
Level 1

How can I do this nat rule on a Cisco FTD using the FDM rather than the FMC?

jebankshrcu_0-1716844464475.png

 

Sorry I make you waiting 
I was busy 

jebankshrcu_0-1716657233286x.png

Review Cisco Networking for a $25 gift card